Home Forums Gamescan Chat42 About
* Login   * Register * FAQ    * Search
It is currently Fri 03-29-2024 9:27AM

All times are UTC - 6 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: vpn + x11 forwarding + ssh to sun machines
PostPosted: Tue 08-31-2004 4:42PM 
Offline
Colonel

Joined: Tue 03-18-2003 6:44PM
Posts: 747

Source: VPN
anyone have any luck?

i set up the cisco vpn client, that works great. i can log into the gpunix machines and launch x11 apps perfectly (and the x11 forwarding goes through an ssh tunnel)

but when i try the same thing on any of the sun machines (mhz, energy, ecesun1, etc) it tries to do the x11 forwarding directly (no tunnel) and it fails miserably. i tried to go test it out on the windows machines in ee105 the other day, but the 2 i tried didnt have xwin32. then i went back today (it looked like they were restoring every machine w/ symantec ghost) and was able to get on a machine w/ xwin32, tried launching xterm and it worked great (but with no ssh tunnel).

so do the x11 ports (6000-600x?) not work through vpn or what?


Top
 Profile E-mail  
    
 Post subject: Re: vpn + x11 forwarding + ssh to sun machines
PostPosted: Tue 08-31-2004 5:40PM 
Offline
Colonel
User avatar

Joined: Wed 02-20-2002 11:27PM
Posts: 867
Location: No one's really sure what became of Castorite after graduation

Source: Off Campus
Mee wrote:
i set up the cisco vpn client, that works great. i can log into the gpunix machines and launch x11 apps perfectly (and the x11 forwarding goes through an ssh tunnel)
Geez. That's two layers of cryptography. While certainly secure, it also introduces quite a bit of overhead. Either VPN or SSH tunneling alone is sufficient to run X11 apps securely. I'd be willing to bet if you dropped one or the other you'd see a performance boost.
Mee wrote:
but when i try the same thing on any of the sun machines (mhz, energy, ecesun1, etc) it tries to do the x11 forwarding directly (no tunnel) and it fails miserably.
Please explain. Is the DISPLAY environment variable on the Sun machine set to the Windows computer you were sitting at, to 127.0.0.1:10, or is it null/non-existent?

It's entirely possible that the Sun machines aren't set up to do X11 SSH tunneling. Since the EE department controls the machines with no IT intervention, they more than likely don't use the campus-standard sshd config file. Next time you're logged into a Sun box, see if you can read /etc/sshd/sshd_config and look for a line that says
Code:
X11Forwarding yes

Mee wrote:
i tried to go test it out on the windows machines in ee105 the other day, but the 2 i tried didnt have xwin32. then i went back today (it looked like they were restoring every machine w/ symantec ghost) and was able to get on a machine w/ xwin32, tried launching xterm and it worked great (but with no ssh tunnel).
I don't think X-Win32 is capable of hosting a SSH session by itself. You'd have to use a utility like PuTTY or OpenSSH to set up the tunnel for you.

Mee wrote:
so do the x11 ports (6000-600x?) not work through vpn or what?
I've gotten X to work over VPN and over SSH. The ports aren't filtered, if that's what you're asking. Never tried the EE Sun machines from off campus before, though.


Top
 Profile E-mail  
    
 Post subject:
PostPosted: Tue 08-31-2004 6:01PM 
Offline
Colonel

Joined: Tue 03-18-2003 6:44PM
Posts: 747

Source: VPN
i dont have a choice to drop one or the other, the ssh server (on the gpunix machines) automatically does x11 forwarding through an ssh tunnel so DISPLAY on the gpunix machines is set to localhost:19.0 or 10.0 or always something close to that.

the sun machines, however, have display set to xxxx.vpn.umr.edu:0.0 (hence, no tunnel, its trying to forward directly to me)

checked sshd_config on the sun machines (acutally in /etc/ssh) and x11 forwarding is off, but that just means its not done through a tunnel right? i should be able to run x11 apps as long as DISPLAY points to my own x server, right?

and yes, i know about xwin32 and putty. i shortened the whole procedure a bit, what i actually did was start xwin32 then log in w/ putty and launch xterm from there.

basically, if x11 is forwarded through the ssh tunnel it works fine, otherwise not. and its not that the sun machines just WONT allow remote x11 use, because it works fine from on campus (the 105 machines)


Top
 Profile E-mail  
    
 Post subject:
PostPosted: Tue 08-31-2004 6:24PM 
Offline
Colonel
User avatar

Joined: Wed 02-20-2002 11:27PM
Posts: 867
Location: No one's really sure what became of Castorite after graduation

Source: Off Campus
Mee wrote:
i dont have a choice to drop one or the other, the ssh server (on the gpunix machines) automatically does x11 forwarding through an ssh tunnel so DISPLAY on the gpunix machines is set to localhost:19.0 or 10.0 or always something close to that.
To disable SSH forwarding, just set the DISPLAY variable to point to your host, similar to how you described the Sun machines working.

Mee wrote:
the sun machines, however, have display set to xxxx.vpn.umr.edu:0.0 (hence, no tunnel, its trying to forward directly to me)
This is correct procedure for unencryped X communications. Since you're going through a VPN tunnel, it's really only unencrypted between the Sun machine and the VPN barrier.

Mee wrote:
checked sshd_config on the sun machines (acutally in /etc/ssh) and x11 forwarding is off, but that just means its not done through a tunnel right?
Correct
Mee wrote:
i should be able to run x11 apps as long as DISPLAY points to my own x server, right?
Correct. You may need to set up your server properly. Read below.

Mee wrote:
basically, if x11 is forwarded through the ssh tunnel it works fine, otherwise not. and its not that the sun machines just WONT allow remote x11 use, because it works fine from on campus (the 105 machines)
I think the problem lies in your X server. By default, a secure X server does not allow connections from other machines. A good SSH tunneling program like PuTTY or OSSH will automatically negotiate the details allowing remote X apps to be displayed.

I don't know what X server you're running.
-For X-Win32 you need to explicitly allow the Sun machine to connect and draw windows on your computer. It's somewhere buried in the options.
-For the XFree86/X.org server, you'll need to open an xterm and enter
Code:
xhost + <IP address of remote machine>
where <> is, well, you know. The plus is literal, you need to have that. This will allow the Sun machine full access to draw on your server. To disable this after you're finished simply substitute a minus for the plus. If you forget, I believe it automatically resets to secure when you restart your X server. (By the way, xhost+ really isn't secure. Read up on X some more to find better, but more complicated ways.)


Top
 Profile E-mail  
    
 Post subject:
PostPosted: Tue 08-31-2004 7:02PM 
Offline
Colonel

Joined: Tue 03-18-2003 6:44PM
Posts: 747

Source: VPN
got it.

xhost had already been set, but apparently kdm starts x with the -nolisten command, disabling tcp connections altogether. so does the startx script (on my distro anyway). but gdm doesnt. its easy enough to disable in both kdm and startx, but still kind of a pain in the ass.

now i just gotta get all those damn fonts so mentor graphics stuff will work


Top
 Profile E-mail  
    
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group